Extracted

Extracted

• • Target

    c5f0a4ae27782f18d689f631c0ab99cf8f6084024095ae23af9c1551c2b08d34

  • Size

    1.8MB

  • MD5

    0489853851af72249820f235b2bcf25a

  • SHA1

    535a0c3f8d1e915fc8f181e8bc6b1213fc89149c

  • SHA256

    c5f0a4ae27782f18d689f631c0ab99cf8f6084024095ae23af9c1551c2b08d34

  • SHA512

    38852693724998ee671a0e7e983fd2e28b893705806137d84f996b01272e6398b2bcb3f92750ca02e266d08c27fede27adb8d989b72d6c1b0b007d967d60660f

  • SSDEEP

    49152:lOGriyItXN7y4tAfHn47iz9Pa4hzmh72y/V:lOGjffg69Pfzmh72

  Score

  10^/10

  amadey0e6740evasiontrojanrisepropersistencestealer

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2